Johannes Caspar, the data protection commissioner for the German state of Hamburg, has been scrutinizing Facebook for some time.
In August, Caspar threatened Facebook with a heavy fine unless it deletes the data of its facial recognition database compiled from photos tagged by users on the social networking site.
Last week, the commissioner demonstrated evidence that implicates the company in secretly creating tracking profiles of every user, through the use of cookie files.
Cookies are small files that are installed on a user’s computer to help with the functioning of a website. Unique about the two cookies that Facebook routinely installs is that they remain active after logging out.
Facebook on its website defends the use of these files. The company claims that they contribute to user’s safety by preventing unauthorized access to accounts, helping recover passwords, and other security features.
Caspar dismissed these claims as untrue after he put the files to a test, as documented on his website in a detailed review. He found that the logout cookies are not necessary for most of the claimed safety features. Additionally, they stay active for two years, even after one has canceled his or her membership.
The commissioner said in a statement it seemed “very doubtful that the cookies only enable collecting such personal data that is needed for the use of the service.”
Caspar suspects that Facebook uses the files to create a profile of browsing behavior of each of its millions of members. German and European data protection laws, however, demand that a user be informed and has to opt in to any such collection of private data. This practice therefore would be illegal.
As the commissioner sees it, the use of Facebook is not free. “For a Facebook membership, users pay in the currency of their personal data,” as said in a brochure published by Caspar’s office.
These allegations come as the office of the Irish Data Protection Commissioner is about to complete a privacy audit of Facebook. The investigation, the biggest the Irish office has ever done, was launched after a law student from Vienna, Max Schrems, put in 22 complaints against Facebook.
Schrems was prompted to challenge Facebook after he found out about the extent of information the company had stored about him. As his right under European law, he demanded from Facebook a copy of the personal data of his three years of membership. In the 1,200 pages of data, Schrems was shocked to find sensitive personal information he thought had been deleted.
One of Schrems’s complaints to the Irish commissioner is Facebook’s lack of transparency. His demands are that the social networking giant reveal what personal data it stores, and what the data is used for.
Since all of Facebook’s operations for members outside North America are based in Dublin, the company has to comply with European law. Therefore, the results of the Irish probe might have far-reaching implications for the American company, possibly for all of its 800 million members.
European, and particularly German, privacy laws are much stricter than in the United States, partly due to how personal data was misused under European dictatorships.
As Peter Schaar, the federal commissioner for data protection in Germany, told ARD, a public broadcaster, “When a company claims to encompass the whole of life, I am worried. … It goes toward a totalitarian direction.”
